I am a beginner with pix.
I am trying to get remote vpn clients to connect through to my office and also be able to connect to internet at the same time.
The first problem I encounter is when I check allow LAN access tab in the properties of the 3.6.1 client I am still not able to browse the internet. The client does not seem to pickup this is checked and when I look at the connection I see it says LAN access disabled. rebooting did not change this.
The next option I guess is allowing the browsing to work through the vpn tunnel. The issue here is the way cisco does not allow outside ips on security0 to connect to Internal ips security100. I then have to allow this access out.
Here is my config.
Any help would be greatly aprreciated.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname gw
domain-name somedomain
names
name 172.16.0.0 WaynesWorld-LAN1
object-group network WaynesWorld-Internal-LANs
description WaynesWorld LAN segments
network-object WaynesWorld-LAN1 255.255.248.0
network-object WaynesWorld-LAN2 255.255.248.0
network-object WaynesWorld-LAN3 255.255.248.0
network-object WaynesWorld-LAN4 255.255.248.0
object-group service WaynesWorld-Outbound-Services tcp
description Allowed outbound services for WaynesWorld - TCP
port-object eq www
port-object eq ftp
access-list inside_nat0_outbound permit ip WaynesWorld-LAN1 255.255.0.0 172.16.240.0 255.255.255.0
access-list inside_access_in permit tcp object-group WaynesWorld-Internal-LANs any object-group WaynesWorld-Outbound-Services
access-list inside_access_in permit icmp host mgmt any
access-list outside_access_in permit ip 172.16.240.0 255.255.255.0 WaynesWorld-LAN1 255.255.0.0
pager lines 24
interface ethernet0 100basetx
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ???.???.???.2 255.255.255.0
ip address inside 172.16.8.50 255.255.248.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool 172-16-24pool 172.16.240.1-172.16.240.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm location 172.16.240.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 WaynesWorld-LAN1 255.255.248.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1??.1??.???.? 1
route inside WaynesWorld-LAN1 255.255.248.0 172.16.8.100 1
route inside 172.16.10.0 255.255.254.0 172.16.8.100 1
route inside 172.16.12.0 255.255.254.0 172.16.8.100 1
route inside 172.16.14.0 255.255.254.0 172.16.8.100 1
route inside WaynesWorld-LAN3 255.255.248.0 172.16.8.100 1
route inside WW2-LAN1 255.255.248.0 172.16.8.10 1
route inside WaynesWorld-LAN4 255.255.248.0 172.16.8.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 3:00:00 absolute uauth 0:17:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.8.190 ???? timeout 5
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication match outside_authentication_RADIUS outside RADIUS
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
auth-prompt prompt "Enter you credentials"
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 2000 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client token authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 1
isakmp policy 100 lifetime 86400
vpngroup WW240address-pool 172-16-24pool
vpngroup WW240dns-server 172.16.8.??
vpngroup WW240wins-server 172.16.8.??
vpngroup WW240default-domain Somedomain.com
vpngroup WW240idle-time 1800
vpngroup WW240password ********
telnet timeout 5
ssh timeout 20
username
username
terminal width 80
I am trying to get remote vpn clients to connect through to my office and also be able to connect to internet at the same time.
The first problem I encounter is when I check allow LAN access tab in the properties of the 3.6.1 client I am still not able to browse the internet. The client does not seem to pickup this is checked and when I look at the connection I see it says LAN access disabled. rebooting did not change this.
The next option I guess is allowing the browsing to work through the vpn tunnel. The issue here is the way cisco does not allow outside ips on security0 to connect to Internal ips security100. I then have to allow this access out.
Here is my config.
Any help would be greatly aprreciated.
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname gw
domain-name somedomain
names
name 172.16.0.0 WaynesWorld-LAN1
object-group network WaynesWorld-Internal-LANs
description WaynesWorld LAN segments
network-object WaynesWorld-LAN1 255.255.248.0
network-object WaynesWorld-LAN2 255.255.248.0
network-object WaynesWorld-LAN3 255.255.248.0
network-object WaynesWorld-LAN4 255.255.248.0
object-group service WaynesWorld-Outbound-Services tcp
description Allowed outbound services for WaynesWorld - TCP
port-object eq www
port-object eq ftp
access-list inside_nat0_outbound permit ip WaynesWorld-LAN1 255.255.0.0 172.16.240.0 255.255.255.0
access-list inside_access_in permit tcp object-group WaynesWorld-Internal-LANs any object-group WaynesWorld-Outbound-Services
access-list inside_access_in permit icmp host mgmt any
access-list outside_access_in permit ip 172.16.240.0 255.255.255.0 WaynesWorld-LAN1 255.255.0.0
pager lines 24
interface ethernet0 100basetx
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside ???.???.???.2 255.255.255.0
ip address inside 172.16.8.50 255.255.248.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool 172-16-24pool 172.16.240.1-172.16.240.254
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm location 172.16.240.0 255.255.255.0 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 WaynesWorld-LAN1 255.255.248.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1??.1??.???.? 1
route inside WaynesWorld-LAN1 255.255.248.0 172.16.8.100 1
route inside 172.16.10.0 255.255.254.0 172.16.8.100 1
route inside 172.16.12.0 255.255.254.0 172.16.8.100 1
route inside 172.16.14.0 255.255.254.0 172.16.8.100 1
route inside WaynesWorld-LAN3 255.255.248.0 172.16.8.100 1
route inside WW2-LAN1 255.255.248.0 172.16.8.10 1
route inside WaynesWorld-LAN4 255.255.248.0 172.16.8.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 3:00:00 absolute uauth 0:17:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 172.16.8.190 ???? timeout 5
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication match outside_authentication_RADIUS outside RADIUS
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
auth-prompt prompt "Enter you credentials"
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 2000 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client token authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 1
isakmp policy 100 lifetime 86400
vpngroup WW240address-pool 172-16-24pool
vpngroup WW240dns-server 172.16.8.??
vpngroup WW240wins-server 172.16.8.??
vpngroup WW240default-domain Somedomain.com
vpngroup WW240idle-time 1800
vpngroup WW240password ********
telnet timeout 5
ssh timeout 20
username
username
terminal width 80
